refactoring

Author: msafwankarim

deployments/kubernetes/chart/reloader/templates/deployment.yaml

@@ -274,6 +274,26 @@ spec:
             {{- if .Values.reloader.custom_annotations.configmap_auto }}
           - "--configmap-auto-annotation"
           - "{{ .Values.reloader.custom_annotations.configmap_auto }}"
+            {{- end }}
+            {{- if .Values.reloader.custom_annotations.configmap_exclude }}
+          - "--configmap-exclude-annotation"
+          - "{{ .Values.reloader.custom_annotations.configmap_exclude }}"
+            {{- end }}
+            {{- if .Values.reloader.custom_annotations.secret_exclude }}
+          - "--secret-exclude-annotation"
+          - "{{ .Values.reloader.custom_annotations.secret_exclude }}"
+            {{- end }}
+            {{- if .Values.reloader.custom_annotations.secretproviderclass }}
+          - "--secretproviderclass-annotation"
+          - "{{ .Values.reloader.custom_annotations.secretproviderclass }}"
+            {{- end }}
+            {{- if .Values.reloader.custom_annotations.secretproviderclass_auto }}
+          - "--secretproviderclass-auto-annotation"
+          - "{{ .Values.reloader.custom_annotations.secretproviderclass_auto }}"
+            {{- end }}
+            {{- if .Values.reloader.custom_annotations.secretproviderclass_exclude }}
+          - "--secretproviderclass-exclude-annotation"
+          - "{{ .Values.reloader.custom_annotations.secretproviderclass_exclude }}"
             {{- end }}
             {{- if .Values.reloader.custom_annotations.search }}
           - "--auto-search-annotation"

deployments/kubernetes/chart/reloader/values.yaml

@@ -216,6 +216,11 @@ reloader:
   #   custom_annotations:
   #     configmap: "my.company.com/configmap"
   #     secret: "my.company.com/secret"
+  #     configmap_exclude: "my.company.com/configmap-exclude"
+  #     secret_exclude: "my.company.com/secret-exclude"
+  #     secretproviderclass: "my.company.com/secretproviderclass"
+  #     secretproviderclass_auto: "my.company.com/secretproviderclass-auto"
+  #     secretproviderclass_exclude: "my.company.com/secretproviderclass-exclude"
   #     ignore: "my.company.com/reloader-ignore"
   custom_annotations: {}
 

internal/pkg/config/flags.go

@@ -182,6 +182,26 @@ func BindFlags(fs *pflag.FlagSet, cfg *Config) {
 		"secret-annotation", cfg.Annotations.SecretReload,
 		"Annotation to detect changes in secrets, specified by name",
 	)
+	fs.String(
+		"configmap-exclude-annotation", cfg.Annotations.ConfigmapExclude,
+		"Annotation to exclude named configmaps from triggering reloads",
+	)
+	fs.String(
+		"secret-exclude-annotation", cfg.Annotations.SecretExclude,
+		"Annotation to exclude named secrets from triggering reloads",
+	)
+	fs.String(
+		"secretproviderclass-auto-annotation", cfg.Annotations.SecretProviderClassAuto,
+		"Annotation to detect changes in secret provider classes (CSI)",
+	)
+	fs.String(
+		"secretproviderclass-annotation", cfg.Annotations.SecretProviderClassReload,
+		"Annotation to detect changes in secret provider classes (CSI), specified by name",
+	)
+	fs.String(
+		"secretproviderclass-exclude-annotation", cfg.Annotations.SecretProviderClassExclude,
+		"Annotation to exclude named secret provider classes (CSI) from triggering reloads",
+	)
 	fs.String(
 		"auto-search-annotation", cfg.Annotations.Search,
 		"Annotation to detect changes in configmaps or secrets tagged with special match annotation",
@@ -190,6 +210,10 @@ func BindFlags(fs *pflag.FlagSet, cfg *Config) {
 		"search-match-annotation", cfg.Annotations.Match,
 		"Annotation to mark secrets or configmaps to match the search",
 	)
+	fs.String(
+		"ignore-annotation", cfg.Annotations.Ignore,
+		"Annotation to ignore changes on watched resources",
+	)
 	fs.String(
 		"pause-deployment-annotation", cfg.Annotations.PausePeriod,
 		"Annotation to define the time period to pause a deployment after a configmap/secret change",
@@ -289,23 +313,17 @@ func ApplyFlags(cfg *Config) error {
 	cfg.Annotations.SecretAuto = v.GetString("secret-auto-annotation")
 	cfg.Annotations.ConfigmapReload = v.GetString("configmap-annotation")
 	cfg.Annotations.SecretReload = v.GetString("secret-annotation")
+	cfg.Annotations.ConfigmapExclude = v.GetString("configmap-exclude-annotation")
+	cfg.Annotations.SecretExclude = v.GetString("secret-exclude-annotation")
+	cfg.Annotations.SecretProviderClassAuto = v.GetString("secretproviderclass-auto-annotation")
+	cfg.Annotations.SecretProviderClassReload = v.GetString("secretproviderclass-annotation")
+	cfg.Annotations.SecretProviderClassExclude = v.GetString("secretproviderclass-exclude-annotation")
 	cfg.Annotations.Search = v.GetString("auto-search-annotation")
 	cfg.Annotations.Match = v.GetString("search-match-annotation")
+	cfg.Annotations.Ignore = v.GetString("ignore-annotation")
 	cfg.Annotations.PausePeriod = v.GetString("pause-deployment-annotation")
 	cfg.Annotations.PausedAt = v.GetString("pause-deployment-time-annotation")
 
-	// SecretProviderClass annotations have no dedicated CLI flag (parity with
-	// master); keep the configured defaults.
-	if cfg.Annotations.SecretProviderClassAuto == "" {
-		cfg.Annotations.SecretProviderClassAuto = DefaultAnnotations().SecretProviderClassAuto
-	}
-	if cfg.Annotations.SecretProviderClassReload == "" {
-		cfg.Annotations.SecretProviderClassReload = DefaultAnnotations().SecretProviderClassReload
-	}
-	if cfg.Annotations.SecretProviderClassExclude == "" {
-		cfg.Annotations.SecretProviderClassExclude = DefaultAnnotations().SecretProviderClassExclude
-	}
-
 	// Alerting
 	cfg.Alerting.Enabled = v.GetBool("alert-on-reload")
 	cfg.Alerting.WebhookURL = v.GetString("alert-webhook-url")

internal/pkg/config/flags_test.go

@@ -55,8 +55,14 @@ func TestBindFlags(t *testing.T) {
 		"secret-auto-annotation",
 		"configmap-annotation",
 		"secret-annotation",
+		"configmap-exclude-annotation",
+		"secret-exclude-annotation",
+		"secretproviderclass-auto-annotation",
+		"secretproviderclass-annotation",
+		"secretproviderclass-exclude-annotation",
 		"auto-search-annotation",
 		"search-match-annotation",
+		"ignore-annotation",
 		"pause-deployment-annotation",
 		"pause-deployment-time-annotation",
 		"watch-namespace",
@@ -153,6 +159,131 @@ func TestBindFlags_CustomValues(t *testing.T) {
 	}
 }
 
+func TestApplyFlags_SecretProviderClassAnnotations(t *testing.T) {
+	// Defaults are preserved when the flags are not provided.
+	resetViper()
+	cfg := NewDefault()
+	fs := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	BindFlags(fs, cfg)
+	if err := fs.Parse(nil); err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+	if err := ApplyFlags(cfg); err != nil {
+		t.Fatalf("ApplyFlags() error = %v", err)
+	}
+	defaults := DefaultAnnotations()
+	if cfg.Annotations.SecretProviderClassAuto != defaults.SecretProviderClassAuto {
+		t.Errorf("SecretProviderClassAuto = %q, want default %q", cfg.Annotations.SecretProviderClassAuto, defaults.SecretProviderClassAuto)
+	}
+	if cfg.Annotations.SecretProviderClassReload != defaults.SecretProviderClassReload {
+		t.Errorf("SecretProviderClassReload = %q, want default %q", cfg.Annotations.SecretProviderClassReload, defaults.SecretProviderClassReload)
+	}
+	if cfg.Annotations.SecretProviderClassExclude != defaults.SecretProviderClassExclude {
+		t.Errorf("SecretProviderClassExclude = %q, want default %q", cfg.Annotations.SecretProviderClassExclude, defaults.SecretProviderClassExclude)
+	}
+
+	// Custom values are applied from the flags.
+	resetViper()
+	cfg = NewDefault()
+	fs = pflag.NewFlagSet("test", pflag.ContinueOnError)
+	BindFlags(fs, cfg)
+	args := []string{
+		"--secretproviderclass-auto-annotation=spc.example.com/auto",
+		"--secretproviderclass-annotation=spc.example.com/reload",
+		"--secretproviderclass-exclude-annotation=spc.example.com/exclude",
+	}
+	if err := fs.Parse(args); err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+	if err := ApplyFlags(cfg); err != nil {
+		t.Fatalf("ApplyFlags() error = %v", err)
+	}
+	if cfg.Annotations.SecretProviderClassAuto != "spc.example.com/auto" {
+		t.Errorf("SecretProviderClassAuto = %q, want %q", cfg.Annotations.SecretProviderClassAuto, "spc.example.com/auto")
+	}
+	if cfg.Annotations.SecretProviderClassReload != "spc.example.com/reload" {
+		t.Errorf("SecretProviderClassReload = %q, want %q", cfg.Annotations.SecretProviderClassReload, "spc.example.com/reload")
+	}
+	if cfg.Annotations.SecretProviderClassExclude != "spc.example.com/exclude" {
+		t.Errorf("SecretProviderClassExclude = %q, want %q", cfg.Annotations.SecretProviderClassExclude, "spc.example.com/exclude")
+	}
+}
+
+func TestApplyFlags_ExcludeAnnotations(t *testing.T) {
+	// Defaults are preserved when the flags are not provided.
+	resetViper()
+	cfg := NewDefault()
+	fs := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	BindFlags(fs, cfg)
+	if err := fs.Parse(nil); err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+	if err := ApplyFlags(cfg); err != nil {
+		t.Fatalf("ApplyFlags() error = %v", err)
+	}
+	defaults := DefaultAnnotations()
+	if cfg.Annotations.ConfigmapExclude != defaults.ConfigmapExclude {
+		t.Errorf("ConfigmapExclude = %q, want default %q", cfg.Annotations.ConfigmapExclude, defaults.ConfigmapExclude)
+	}
+	if cfg.Annotations.SecretExclude != defaults.SecretExclude {
+		t.Errorf("SecretExclude = %q, want default %q", cfg.Annotations.SecretExclude, defaults.SecretExclude)
+	}
+
+	// Custom values are applied from the flags.
+	resetViper()
+	cfg = NewDefault()
+	fs = pflag.NewFlagSet("test", pflag.ContinueOnError)
+	BindFlags(fs, cfg)
+	args := []string{
+		"--configmap-exclude-annotation=cm.example.com/exclude",
+		"--secret-exclude-annotation=sec.example.com/exclude",
+	}
+	if err := fs.Parse(args); err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+	if err := ApplyFlags(cfg); err != nil {
+		t.Fatalf("ApplyFlags() error = %v", err)
+	}
+	if cfg.Annotations.ConfigmapExclude != "cm.example.com/exclude" {
+		t.Errorf("ConfigmapExclude = %q, want %q", cfg.Annotations.ConfigmapExclude, "cm.example.com/exclude")
+	}
+	if cfg.Annotations.SecretExclude != "sec.example.com/exclude" {
+		t.Errorf("SecretExclude = %q, want %q", cfg.Annotations.SecretExclude, "sec.example.com/exclude")
+	}
+}
+
+func TestApplyFlags_IgnoreAnnotation(t *testing.T) {
+	// Default is preserved when the flag is not provided.
+	resetViper()
+	cfg := NewDefault()
+	fs := pflag.NewFlagSet("test", pflag.ContinueOnError)
+	BindFlags(fs, cfg)
+	if err := fs.Parse(nil); err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+	if err := ApplyFlags(cfg); err != nil {
+		t.Fatalf("ApplyFlags() error = %v", err)
+	}
+	if cfg.Annotations.Ignore != DefaultAnnotations().Ignore {
+		t.Errorf("Ignore = %q, want default %q", cfg.Annotations.Ignore, DefaultAnnotations().Ignore)
+	}
+
+	// Custom value is applied from the flag.
+	resetViper()
+	cfg = NewDefault()
+	fs = pflag.NewFlagSet("test", pflag.ContinueOnError)
+	BindFlags(fs, cfg)
+	if err := fs.Parse([]string{"--ignore-annotation=my.company.com/reloader-ignore"}); err != nil {
+		t.Fatalf("Parse() error = %v", err)
+	}
+	if err := ApplyFlags(cfg); err != nil {
+		t.Fatalf("ApplyFlags() error = %v", err)
+	}
+	if cfg.Annotations.Ignore != "my.company.com/reloader-ignore" {
+		t.Errorf("Ignore = %q, want %q", cfg.Annotations.Ignore, "my.company.com/reloader-ignore")
+	}
+}
+
 func TestApplyFlags_BooleanStrings(t *testing.T) {
 	tests := []struct {
 		name    string

internal/pkg/controller/manager.go

@@ -246,7 +246,7 @@ func SetupReconcilers(mgr ctrl.Manager, cfg *config.Config, log logr.Logger, col
 			},
 			mgr.GetAPIReader(),
 		)
-		if err := spcReconciler.SetupWithManager(mgr); err != nil {
+		if err := SetupSecretProviderClassReconciler(mgr, spcReconciler); err != nil {
 			return fmt.Errorf("setting up secretproviderclass reconciler: %w", err)
 		}
 		log.Info("CSI SecretProviderClass reconciler enabled")

internal/pkg/controller/resource_reconciler.go

@@ -21,7 +21,9 @@ import (
 
 // ResourceReconcilerDeps holds shared dependencies for resource reconcilers.
 type ResourceReconcilerDeps struct {
-	Client         client.Client
+	Client client.Client
+	// APIReader is an optional non-cached reader for ResolveChange lookups.
+	APIReader      client.Reader
 	Log            logr.Logger
 	Config         *config.Config
 	ReloadService  *reload.Service
@@ -47,6 +49,16 @@ type ResourceConfig[T client.Object] struct {
 
 	// CreatePredicates creates the predicates for this resource type.
 	CreatePredicates func(cfg *config.Config, hasher *reload.Hasher) predicate.Predicate
+
+	// ResolveChange derives the change from a second object instead of CreateChange;
+	// ok=false skips the event (CSI: change comes from the parent SecretProviderClass).
+	ResolveChange func(ctx context.Context, reader client.Reader, log logr.Logger, resource T) (reload.ResourceChange, bool)
+
+	// SkipOnNotFound treats a missing object as a no-op (CSI deletes SPCPS as pods roll).
+	SkipOnNotFound bool
+
+	// BuildFilter overrides the default BuildEventFilter for the watch.
+	BuildFilter func(cfg *config.Config, hasher *reload.Hasher) predicate.Predicate
 }
 
 // ResourceReconciler is a generic reconciler for ConfigMaps and Secrets.
@@ -102,23 +114,43 @@ func (r *ResourceReconciler[T]) Reconcile(ctx context.Context, req ctrl.Request)
 		return ctrl.Result{}, nil
 	}
 
+	change, ok := r.buildChange(ctx, log, resource)
+	if !ok {
+		r.Collectors.RecordSkipped("resolve_skipped")
+		r.Collectors.RecordReconcile("success", time.Since(startTime))
+		return ctrl.Result{}, nil
+	}
+
 	result, err := r.reloadHandler().Process(
-		ctx, req.Namespace, req.Name, r.ResourceType,
+		ctx, change.GetNamespace(), change.GetName(), r.ResourceType,
 		func(workloads []workload.Workload) []reload.ReloadDecision {
-			return r.ReloadService.Process(r.CreateChange(resource, reload.EventTypeUpdate), workloads)
+			return r.ReloadService.Process(change, workloads)
 		}, log,
 	)
 
 	r.recordReconcile(startTime, err)
 	return result, err
 }
 
+// buildChange returns the change via ResolveChange when set, else CreateChange.
+func (r *ResourceReconciler[T]) buildChange(ctx context.Context, log logr.Logger, resource T) (reload.ResourceChange, bool) {
+	if r.ResolveChange != nil {
+		return r.ResolveChange(ctx, r.APIReader, log, resource)
+	}
+	return r.CreateChange(resource, reload.EventTypeUpdate), true
+}
+
 func (r *ResourceReconciler[T]) handleNotFound(
 	ctx context.Context,
 	req ctrl.Request,
 	log logr.Logger,
 	startTime time.Time,
 ) (ctrl.Result, error) {
+	if r.SkipOnNotFound {
+		r.Collectors.RecordSkipped("not_found")
+		r.Collectors.RecordReconcile("success", time.Since(startTime))
+		return ctrl.Result{}, nil
+	}
 	if r.Config.ReloadOnDelete {
 		r.Collectors.RecordEventReceived("delete", string(r.ResourceType))
 		result, err := r.handleDelete(ctx, req, log)
@@ -176,19 +208,19 @@ func (r *ResourceReconciler[T]) reloadHandler() *ReloadHandler {
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *ResourceReconciler[T]) SetupWithManager(mgr ctrl.Manager, forObject T) error {
-	// Capture the moment the controller is wired up (before the manager starts
-	// watching). Resources that already exist are replayed during the initial
-	// cache sync with an older creation timestamp; the create predicate uses
-	// this to ignore those replays while still honoring genuine creates that
-	// arrive afterwards.
-	startTime := time.Now()
+	var filter predicate.Predicate
+	if r.BuildFilter != nil {
+		filter = r.BuildFilter(r.Config, r.ReloadService.Hasher())
+	} else {
+		// time.Now() lets the create predicate ignore initial-sync replays of
+		// pre-existing resources (older creation timestamps) while honoring later creates.
+		filter = BuildEventFilter(
+			r.CreatePredicates(r.Config, r.ReloadService.Hasher()),
+			r.Config, time.Now(),
+		)
+	}
 	return ctrl.NewControllerManagedBy(mgr).
 		For(forObject).
-		WithEventFilter(
-			BuildEventFilter(
-				r.CreatePredicates(r.Config, r.ReloadService.Hasher()),
-				r.Config, startTime,
-			),
-		).
+		WithEventFilter(filter).
 		Complete(r)
 }